From 72687b76ca9b9572cadf3cb22cd7280dccc11dd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 15 Sep 2022 12:23:58 +0200 Subject: [PATCH] Clarify dependencies in mbedtls_config.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - One module was missing the warning on psa_crypto_init(). - For modules that are affected by USE_PSA_CRYPTO, it makes more sense to mention that in the warning. - Attempt to improve the description of the TLS 1.3 situation. Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/mbedtls_config.h | 38 ++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 990dc5851..ff7b30e11 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1492,13 +1492,14 @@ * * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). * - * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C - * (Depends on ciphersuites) when MBEDTLS_USE_PSA_CRYPTO - * is not defined, PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or - * PSA_WANT_ALG_SHA_512 when MBEDTLS_USE_PSA_CRYPTO is defined. + * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and + * (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C) + * With MBEDTLS_USE_PSA_CRYPTO: + * PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or + * PSA_WANT_ALG_SHA_512 * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any TLS operation. + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call + * psa_crypto_init() before doing any TLS operations. * * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 */ @@ -1517,11 +1518,11 @@ * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * Requires: MBEDTLS_PSA_CRYPTO_C * - * Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use - * PSA for all crypto operations, you need to also enable - * MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are - * common with TLS 1.2 (record protection, running handshake hash) will still - * use non-PSA crypto. + * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditonally + * for most operations, if you want it to only use PSA for all crypto + * operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 + * operations, and functions that are common with TLS 1.2 (record protection, + * running handshake hash) will still use non-PSA crypto. * * Uncomment this macro to enable the support for TLS 1.3. */ @@ -2337,7 +2338,7 @@ * This module is used by the following key exchanges: * ECJPAKE * - * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C + * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C * * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() * before doing any EC J-PAKE operations. @@ -2654,7 +2655,10 @@ * * Module: library/pkcs5.c * - * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C. + * + * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() + * before doing any PKCS5 operation. * * This module adds support for the PKCS#5 functions. */ @@ -3136,8 +3140,8 @@ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO) * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any X.509 operation. + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call + * psa_crypto_init() before doing any X.509 operation. * * This module is required for the X.509 parsing modules. */ @@ -3197,8 +3201,8 @@ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, * (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO) * - * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init() - * before doing any X.509 create operation. + * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call + * psa_crypto_init() before doing any X.509 create operation. * * This module is the basis for creating X.509 certificates and CSRs. */